Changeset 2a5d02a in github


Ignore:
Timestamp:
Jul 21, 2009 12:13:42 PM (4 years ago)
Author:
thomascube <thomas@…>
Branches:
master, HEAD, courier-fix, dev-browser-capabilities, pdo, release-0.6, release-0.7, release-0.8
Children:
a0c4cbe
Parents:
5499336
Message:

Also protect GET request from CSRF

Files:
3 edited

Legend:

Unmodified
Added
Removed

  • CHANGELOG

    r93af155 r2a5d02a  
    44- Fix import of vCard entries with params (#1485453) 
    55- Fix HTML messages output with empty block elements (#1485974) 
     6- Use request tokens to protect POST requests from CSFR 
    67- Added hook when killing a session 
    78- Added hook to write_log function (#1485971) 

  • program/js/app.js

    r5499336 r2a5d02a  
    29702970      id = this.env.iid ? this.env.iid : selection[0]; 
    29712971 
    2972     // if (this.env.framed && id) 
    2973     this.goto_url('delete-identity', '_iid='+id, true); 
     2972    // append token to request 
     2973    this.goto_url('delete-identity', '_iid='+id+'&_token='+this.env.request_token, true); 
     2974     
    29742975    return true; 
    29752976    }; 

  • program/steps/settings/delete_identity.inc

    r69f18a09 r2a5d02a  
    66 |                                                                       | 
    77 | This file is part of the RoundCube Webmail client                     | 
    8  | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland                 | 
     8 | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland                 | 
    99 | Licensed under the GNU GPL                                            | 
    1010 |                                                                       | 
     
    2020*/ 
    2121 
    22 if (($ids = get_input_value('_iid', RCUBE_INPUT_GET)) && preg_match('/^[0-9]+(,[0-9]+)*$/', $ids)) 
     22$iid = get_input_value('_iid', RCUBE_INPUT_GPC); 
     23 
     24// check request token 
     25if (!$OUTPUT->ajax_call && !$RCMAIL->check_request(RCUBE_INPUT_GPC)) { 
     26  $OUTPUT->show_message('invalidrequest', 'error'); 
     27  rcmail_overwrite_action('identities'); 
     28  return; 
     29} 
     30 
     31if ($iid && preg_match('/^[0-9]+(,[0-9]+)*$/', $iid)) 
    2332{ 
    24   $plugin = $RCMAIL->plugins->exec_hook('delete_identity', array('id' => $ids)); 
     33  $plugin = $RCMAIL->plugins->exec_hook('delete_identity', array('id' => $iid)); 
    2534   
    26   if (!$plugin['abort'] && $USER->delete_identity($ids)) { 
     35  if (!$plugin['abort'] && $USER->delete_identity($iid)) { 
    2736    $OUTPUT->show_message('deletedsuccessfully', 'confirmation', null, false); 
    2837  } 
Note: See TracChangeset for help on using the changeset viewer.